Exploit code targets WordPress bloggers

Hackers broke into the WordPress download server early last week

Attackers have injected exploit code into the downloadable software for the WordPress blogging service. 

The open source software allows users to set up and publish postings to a blog. The company has issued an update that repairs the vulnerability.

Although blogging services such as Blogger, TypePad and WordPress allow users to publish blog postings directly from a browser, client software offers users more flexibility.

Hackers broke into the WordPress download server early last week and embedded attack code into the 2.1.1 update of the application.

The malware opened a backdoor on infected systems that could allow an attacker to execute code and install software.

WordPress founding developer Matthew Mullenweg said on a company blog that the infected software was offered to users for three to four days as an official download before the company was alerted to the breach. 

"This is the kind of thing you pray never happens," said Mullenweg. "But it did and we are dealing with it as best we can."

Security vendor Symantec said that it had uncovered fewer than 50 attacks exploiting the backdoor. The firm rated the threat as 'low-level' because of its limited reach and easy removal. 

WordPress is recommending all users to upgrade to version 2.1.2 of the software, and has urged administrators hosting WordPress blogs to prevent access to the 'theme.php' and 'feed.php' files that are infected by the attack.